holmesgpt 0.13.0__py3-none-any.whl → 0.13.1__py3-none-any.whl

holmes/plugins/toolsets/bash/common/validators.py

@@ -1,4 +1,5 @@
 import argparse
+import fnmatch
 import re
 from typing import Union
 
@@ -22,3 +23,93 @@ def whitelist_validator(field_name: str, whitelisted_values: set[str]):
         return value
 
     return validate_value
+
+
+def validate_command_and_operations(
+    command: str,
+    options: list[str],
+    allowed_commands: dict[str, dict],
+    denied_commands: dict[str, dict],
+) -> None:
+    """Validate that the command and operation combination is safe, with wildcard support."""
+
+    # Check denied commands first (including wildcards)
+    _check_denied_command_with_wildcards(
+        command=command, options=options, denied_commands=denied_commands
+    )
+
+    # Check allowed commands (including wildcards)
+    _check_allowed_command_with_wildcards(
+        command=command, options=options, allowed_commands=allowed_commands
+    )
+
+
+def _check_options_against_denied_commands(
+    command: str, options: list[str], denied_commands: dict
+):
+    for idx, option in enumerate(options):
+        new_command = command + " " + option
+        for potential_command, children in denied_commands.items():
+            option_does_match = fnmatch.fnmatchcase(option, potential_command)
+            if option_does_match and children == {}:
+                raise ValueError(f"Command is blocked: {new_command}")
+            elif option_does_match:
+                _check_options_against_denied_commands(
+                    command=new_command,
+                    options=options[idx + 1 :],
+                    denied_commands=children,
+                )
+
+
+def _check_denied_command_with_wildcards(
+    command: str, options: list[str], denied_commands: dict[str, dict]
+) -> None:
+    # Check exact command match first
+    for potential_command, children in denied_commands.items():
+        command_does_match = fnmatch.fnmatchcase(command, potential_command)
+        if command_does_match and children == {}:
+            raise ValueError(f"Command is blocked: {command}")
+        elif command_does_match:
+            _check_options_against_denied_commands(
+                command=command, options=options, denied_commands=children
+            )
+
+
+def _do_options_match_an_allowed_command(
+    command: str, options: list[str], allowed_commands: dict
+) -> bool:
+    for idx, option in enumerate(options):
+        new_command = command + " " + option
+        for potential_command, children in allowed_commands.items():
+            option_does_match = fnmatch.fnmatchcase(option, potential_command)
+            if option_does_match and children == {}:
+                return True
+            elif option_does_match:
+                is_allowed = _do_options_match_an_allowed_command(
+                    command=new_command,
+                    options=options[idx + 1 :],
+                    allowed_commands=children,
+                )
+                if is_allowed:
+                    return True
+
+    return False
+
+
+def _check_allowed_command_with_wildcards(
+    command: str, options: list[str], allowed_commands: dict[str, dict]
+):
+    for potential_command, children in allowed_commands.items():
+        cursor_does_match = fnmatch.fnmatchcase(command, potential_command)
+        if cursor_does_match and children == {}:
+            return
+        elif cursor_does_match:
+            is_allowed = _do_options_match_an_allowed_command(
+                command=command, options=options, allowed_commands=children
+            )
+            if is_allowed:
+                return
+
+    raise ValueError(
+        f"Command is not in the allowlist: {command + ' ' + ' '.join(options)}"
+    )

holmes/plugins/toolsets/bash/docker/__init__.py

@@ -0,0 +1,59 @@
+import argparse
+from typing import Any, Optional
+
+from holmes.plugins.toolsets.bash.common.bash_command import BashCommand
+from holmes.plugins.toolsets.bash.common.config import BashExecutorConfig
+from holmes.plugins.toolsets.bash.common.stringify import escape_shell_args
+from holmes.plugins.toolsets.bash.common.validators import (
+    validate_command_and_operations,
+)
+from holmes.plugins.toolsets.bash.docker.constants import (
+    ALLOWED_DOCKER_COMMANDS,
+    DENIED_DOCKER_COMMANDS,
+)
+
+
+class DockerCommand(BashCommand):
+    def __init__(self):
+        super().__init__("docker")
+
+    def add_parser(self, parent_parser: Any):
+        docker_parser = parent_parser.add_parser(
+            "docker",
+            help="Docker Command Line Interface",
+            exit_on_error=False,
+        )
+
+        docker_parser.add_argument(
+            "command",
+            help="Docker command (e.g., ps, images, inspect)",
+        )
+
+        docker_parser.add_argument(
+            "options",
+            nargs=argparse.REMAINDER,
+            default=[],
+            help="Docker CLI subcommands, operations, and options",
+        )
+        return docker_parser
+
+    def validate_command(
+        self, command: Any, original_command: str, config: Optional[BashExecutorConfig]
+    ) -> None:
+        if hasattr(command, "options"):
+            validate_command_and_operations(
+                command=command.command,
+                options=command.options,
+                allowed_commands=ALLOWED_DOCKER_COMMANDS,
+                denied_commands=DENIED_DOCKER_COMMANDS,
+            )
+
+    def stringify_command(
+        self, command: Any, original_command: str, config: Optional[BashExecutorConfig]
+    ) -> str:
+        parts = ["docker", command.command]
+
+        if hasattr(command, "options") and command.options:
+            parts.extend(command.options)
+
+        return " ".join(escape_shell_args(parts))

holmes/plugins/toolsets/bash/docker/constants.py

@@ -0,0 +1,255 @@
+ALLOWED_DOCKER_COMMANDS: dict[str, dict] = {
+    # Container management (read-only)
+    "ps": {},
+    "container": {
+        "ls": {},
+        "list": {},
+        "inspect": {},
+        "logs": {},
+        "stats": {},
+        "top": {},
+        "port": {},
+        "diff": {},
+    },
+    # Image management (read-only)
+    "images": {},
+    "image": {
+        "ls": {},
+        "list": {},
+        "inspect": {},
+        "history": {},
+    },
+    # System information
+    "version": {},
+    "info": {},
+    "system": {
+        "info": {},
+        "events": {},
+        "df": {},
+    },
+    # Network inspection
+    "network": {
+        "ls": {},
+        "list": {},
+        "inspect": {},
+    },
+    # Volume inspection
+    "volume": {
+        "ls": {},
+        "list": {},
+        "inspect": {},
+    },
+    # Registry operations (read-only)
+    "search": {},
+    # Plugin inspection
+    "plugin": {
+        "ls": {},
+        "list": {},
+        "inspect": {},
+    },
+    # Node information (Swarm read-only)
+    "node": {
+        "ls": {},
+        "list": {},
+        "inspect": {},
+    },
+    # Service information (Swarm read-only)
+    "service": {
+        "ls": {},
+        "list": {},
+        "inspect": {},
+        "logs": {},
+        "ps": {},
+    },
+    # Stack information (read-only)
+    "stack": {
+        "ls": {},
+        "list": {},
+        "ps": {},
+        "services": {},
+    },
+    # Secret inspection (read-only metadata)
+    "secret": {
+        "ls": {},
+        "list": {},
+        "inspect": {},
+    },
+    # Config inspection (read-only)
+    "config": {
+        "ls": {},
+        "list": {},
+        "inspect": {},
+    },
+    # Context information
+    "context": {
+        "ls": {},
+        "list": {},
+        "inspect": {},
+        "show": {},
+    },
+}
+
+# Blocked Docker operations (state-modifying or dangerous)
+DENIED_DOCKER_COMMANDS: dict[str, dict] = {
+    # Container lifecycle operations
+    "run": {},
+    "create": {},
+    "start": {},
+    "stop": {},
+    "restart": {},
+    "pause": {},
+    "unpause": {},
+    "kill": {},
+    "remove": {},
+    "rm": {},
+    "exec": {},
+    "attach": {},
+    "cp": {},
+    "commit": {},
+    "update": {},
+    "rename": {},
+    "wait": {},
+    "container": {
+        "create": {},
+        "start": {},
+        "stop": {},
+        "restart": {},
+        "pause": {},
+        "unpause": {},
+        "kill": {},
+        "remove": {},
+        "rm": {},
+        "exec": {},
+        "attach": {},
+        "cp": {},
+        "commit": {},
+        "update": {},
+        "rename": {},
+        "wait": {},
+        "prune": {},
+        "export": {},  # Can exfiltrate full filesystem
+    },
+    # Image operations
+    "build": {},
+    "pull": {},
+    "push": {},
+    "tag": {},
+    "untag": {},
+    "rmi": {},
+    "load": {},
+    "import": {},
+    "save": {},
+    "image": {
+        "build": {},
+        "pull": {},
+        "push": {},
+        "tag": {},
+        "untag": {},
+        "rm": {},
+        "remove": {},
+        "load": {},
+        "import": {},
+        "save": {},
+        "prune": {},
+    },
+    # Network operations
+    "network": {
+        "create": {},
+        "rm": {},
+        "remove": {},
+        "connect": {},
+        "disconnect": {},
+        "prune": {},
+    },
+    # Volume operations
+    "volume": {
+        "create": {},
+        "rm": {},
+        "remove": {},
+        "prune": {},
+    },
+    # System operations
+    "system": {
+        "prune": {},
+    },
+    # Registry operations
+    "login": {},
+    "logout": {},
+    # Plugin operations
+    "plugin": {
+        "install": {},
+        "enable": {},
+        "disable": {},
+        "upgrade": {},
+        "rm": {},
+        "remove": {},
+        "push": {},
+        "create": {},
+        "set": {},
+    },
+    # Swarm operations
+    "swarm": {
+        "init": {},
+        "join": {},
+        "leave": {},
+        "update": {},
+        "join-token": {},
+        "unlock": {},
+        "unlock-key": {},
+    },
+    # Node operations
+    "node": {
+        "update": {},
+        "demote": {},
+        "promote": {},
+        "rm": {},
+        "remove": {},
+    },
+    # Service operations
+    "service": {
+        "create": {},
+        "update": {},
+        "scale": {},
+        "rm": {},
+        "remove": {},
+        "rollback": {},
+    },
+    # Stack operations
+    "stack": {
+        "deploy": {},
+        "rm": {},
+        "remove": {},
+    },
+    # Secret operations
+    "secret": {
+        "create": {},
+        "rm": {},
+        "remove": {},
+    },
+    # Config operations
+    "config": {
+        "create": {},
+        "rm": {},
+        "remove": {},
+    },
+    # Context operations
+    "context": {
+        "create": {},
+        "rm": {},
+        "remove": {},
+        "update": {},
+        "use": {},
+        "export": {},
+        "import": {},
+    },
+    # Checkpoint operations
+    "checkpoint": {},
+    # Buildx operations
+    "buildx": {},
+    # Compose operations
+    "compose": {},
+    # Trust operations
+    "trust": {},
+    # Manifest operations
+    "manifest": {},
+}

holmes/plugins/toolsets/bash/helm/__init__.py

@@ -0,0 +1,61 @@
+import argparse
+from typing import Any, Optional
+
+from holmes.plugins.toolsets.bash.common.bash_command import BashCommand
+from holmes.plugins.toolsets.bash.common.config import BashExecutorConfig
+from holmes.plugins.toolsets.bash.common.stringify import escape_shell_args
+from holmes.plugins.toolsets.bash.common.validators import (
+    validate_command_and_operations,
+)
+from holmes.plugins.toolsets.bash.helm.constants import (
+    ALLOWED_HELM_COMMANDS,
+    DENIED_HELM_COMMANDS,
+)
+
+
+class HelmCommand(BashCommand):
+    def __init__(self):
+        super().__init__("helm")
+
+    def add_parser(self, parent_parser: Any):
+        """Create Helm CLI parser with safe command validation."""
+        helm_parser = parent_parser.add_parser(
+            "helm", help="Helm Package Manager for Kubernetes", exit_on_error=False
+        )
+
+        # Add command subparser
+        helm_parser.add_argument(
+            "command", help="Helm command (e.g., list, get, status, show)"
+        )
+
+        # Capture remaining arguments
+        helm_parser.add_argument(
+            "options",
+            nargs=argparse.REMAINDER,
+            default=[],
+            help="Helm CLI subcommands, operations, and options",
+        )
+        return helm_parser
+
+    def validate_command(
+        self, command: Any, original_command: str, config: Optional[BashExecutorConfig]
+    ) -> None:
+        if hasattr(command, "options"):
+            validate_command_and_operations(
+                command=command.command,
+                options=command.options,
+                allowed_commands=ALLOWED_HELM_COMMANDS,
+                denied_commands=DENIED_HELM_COMMANDS,
+            )
+
+    def stringify_command(
+        self, command: Any, original_command: str, config: Optional[BashExecutorConfig]
+    ) -> str:
+        """Convert parsed Helm command back to safe command string."""
+        # Build command parts
+        parts = ["helm", command.command]
+
+        if hasattr(command, "options") and command.options:
+            parts.extend(command.options)
+
+        return " ".join(escape_shell_args(parts))

holmes/plugins/toolsets/bash/helm/constants.py

@@ -0,0 +1,92 @@
+ALLOWED_HELM_COMMANDS: dict[str, dict] = {
+    # Release management (read-only)
+    "list": {},
+    "ls": {},
+    "get": {
+        "all": {},
+        "hooks": {},
+        "manifest": {},
+        "notes": {},
+        "values": {},
+        "metadata": {},
+    },
+    "status": {},
+    "history": {},
+    "diff": {
+        "upgrade": {},
+        "rollback": {},
+        "revision": {},
+        "release": {},
+        "version": {},
+    },
+    # Chart operations (read-only)
+    "show": {
+        "all": {},
+        "chart": {},
+        "readme": {},
+        "values": {},
+        "crds": {},
+    },
+    "inspect": {},
+    "search": {
+        "repo": {},
+    },
+    "lint": {},
+    "verify": {},
+    "dependency": {"list": {}},
+    # Repository operations (read-only)
+    "repo": {"list": {}},
+    # Help and information
+    "help": {},
+    "version": {},
+    # Plugin operations (read-only)
+    "plugin": {
+        "list": {},
+    },
+    # Completion
+    "completion": {},
+}
+
+# Blocked Helm operations (state-modifying or dangerous)
+DENIED_HELM_COMMANDS: dict[str, dict] = {
+    # Release lifecycle operations
+    "install": {},
+    "upgrade": {},
+    "uninstall": {},
+    "delete": {},
+    "rollback": {},
+    "test": {},
+    # Repository management
+    "repo": {
+        "add": {},
+        "remove": {},
+        "rm": {},
+        "update": {},
+        "index": {},
+    },
+    # Chart packaging and publishing
+    "create": {},
+    "package": {},
+    "push": {},
+    "pull": {},
+    "fetch": {},
+    "dependency": {
+        "update": {},
+        "build": {},
+    },
+    # Plugin management
+    "plugin": {
+        "install": {},
+        "uninstall": {},
+        "update": {},
+    },
+    # Registry operations
+    "registry": {},
+    # Environment modification
+    "env": {},
+    # Configuration modification
+    "config": {},
+    # Mapkubeapis operations
+    "mapkubeapis": {},
+    "template": {},
+}